CISO at Dolby | 2x CISO | Security Tinkerer | Board Member | Boardroom Certified Qualified Technology Expert (QTE) | Venture Advisor | CSA Research Fellow
Dear security vendors, Tell me what problem your solution is solving! I don't care what alphabet soup category you fall under. I don't care where you are on some Magic Quadrant, Hype Cycle, Cool Vendor list, which military branch your founders are from, or how many exits they had. Don't start by "Our solution give the CISO visibility..." or "Our solution provides ...". All I want to know is what problem your solution is solving. If I have this problem and it is a priority (and I have budget) at this time, I may engage. If not, please go away until it is a priority (I will let you know). You will save both of us a lot of time and effort. *** 11/22/2024 Update *** My intention with this post was a Public Service Announcement (PSA) not a call to send me sales pitches. But it's on me, I should have done a better job articulating it! I received hundreds of product pitches. Some you can see in the comments below, others were sent to my work email. You can see for yourself from the the pitches in the comments that they proved my point. Almost everyone tells you what they do, but not what problem they solve! Very very few who attempted to articulate the problem, either pointed to a symptom of the problem but not to a root cause, or provided anything to back their statement. Saying that "The number of vulnerabilities is growing" or "The number of malicious emails is growing", doesn't qualify as a problem. Does your problem statement pass the "So What?" question? Who cares and why should they? #CISO
Glenn Bravy
1w
Problem: code scanners include so many false positives that developers ignore alerts. Real critical issues get by unmanaged. Security engineers pick up the slack, spending their time validating false issues and firefighting what’s left. Aikido auto-triages the false positives so that developers only see true positives, taking the suck out of security scanning. Security engineers don’t burn out and can focus on prevention.
I think the comment section has turned into "The Bachelor - Security Vendor Edition" 🌹 😂 Thanks for being straightforward as usual, Yaron!
How's this, we automatically generate code fixes for vulnerabilities reported by commercial SAST tools in a predictable and deterministic way to help developers eliminate the security backlog in scale while also fix newly reported findings as soon as they come up. Reach out if you want to learn more or try it out. How was that? I know I mentioned SAST but it's not what we do and anyway for most of us it's part of the language, not an acronym 😉
Ben Keller
1w
At this point, might as well embrace being a cliche and prepare to be ridiculed… the problem our solution is solving: attackers are publishing malicious packages targeting your developers and you can’t scan every package before your developer downloads them (we do) and/or stop them from being downloaded without implementing a manual review process and severely slowing down development (we automate this). Ridicule away :)
I read Yaron’s post as more of a PSA and less of an invitation for vendors to randomly shoot their shot to hone their cold outreach skills- but maybe I misread this one 😉
Ed Hurtley
1w
Problem: lack of clear priority on vulnerabilities/misconfigurations in an environment to fix first - when a vulnerability scanner says everything is critical, nothing is. Problem: don’t know for sure that mitigations are in place, or what the blast radius of a breach will be. Problem: manual pentests are expensive, so can only afford to do once or twice a year, giving the barest of “snapshots in time” that are obsolete long before the next pentest.
We reverse the damage done by ransomware.
Richard B.
1w
I always like the "I know you have product X, my product does the same but 1% better....or has one hardly used feature" So, I suggest you pay for both!
CISO at Dolby | 2x CISO | Security Tinkerer | Board Member | Boardroom Certified Qualified Technology Expert (QTE) | Venture Advisor | CSA Research Fellow
1wI received hundreds of product pitches. Some you can see in the comments below, others were sent to my work email. You can see for yourself from the the pitches in the comments that they proved my point. Almost everyone tells you what they do, but not what problem they solve! Very very few who attempted to articulate the problem, either pointed to a symptom of the problem but not to a root cause, or provided anything to back their statement. Saying that "The number of vulnerabilities is growing" or "The number of malicious emails is growing", doesn't qualify as a problem. Does your problem statement pass the "So What?" question? Who cares and why should they?